Hacker selling over 1 million decrypted Gmail and Yahoo passwords on dark web

Hardly a day goes without headlines about any significant data breach. Now, according to the recent news, login credentials and other personal data linked to more than one Million Yahoo and Gmail accounts are reportedly being offered for sale on the dark web marketplace.

The online accounts listed for sale on the Dark Web allegedly contain usernames, emails, and plaintext passwords. The accounts are not from a single data breach; instead, several major cyber-attacks believed to have been behind it. The hacker going by the online handle 'SunTzu583' has listed a number of cracked email packages on a series of dark websites.

Another 450,000 Gmail accounts for 0.0201 BTC (USD 25.76), which came from various other data breaches in Dropbox, Adobe, and others that took place between 2010 and 2016.

Last.FM data breach from 2012 exposed 43 million user accounts that were publicly released in September last year. Adobe breach from October 2013 exposed over 153 million accounts containing internal IDs, usernames, emails, encrypted passwords and a password hint in plain text. MySpace data breach from 2008 exposed 360 million user accounts, containing usernames, emails and their decrypted (plaintext) passwords, which were leaked on the dark web in 2016.

Google’s Gmail email service is known to be one of the most secure email services, but no company can secure their accounts from hackers due to a third party data breach. Millions of Gmail accounts, in which usernames, emails, and plaintext passwords were exposed, were stolen in multiple data breaches in Bitcoin Security Forum, Tumblr, Last.fm, 000webhost, Adobe, Dropbox, Flash Flash Revolution, LookBook and Xbox360 ISO, happened between 2008 and 2016.

The data listed for sale by SunTzu583 has not been independently verified, but has reportedly been checked by matching it to the data on a number of data breach notification platforms, including Hacked-DB and HaveIBeenPwned.

Here's What All You Can Do:

Needless to say, you should immediately change almost all your account passwords at least once. Also enable two-factor authentication for all your online accounts immediately. And once again, a strong recommendation: Don't Reuse Passwords. Also, you are recommended to change your password every few months, which limits how long a stolen password is useful to a hacker. Since no one can remember and recreate strong passwords for every single online account regularly, the best practice is to use a good password manager. It will generate, store and change regularly strong, unique passwords for all your accounts.